- 10 Mar, 2013 2 commits
-
-
Antonio Borneo authored
This patch just play with space and tabs, so git diff -w does not report anything. Signed-off-by:
Antonio Borneo <borneo.antonio@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Antonio Borneo authored
Current code mixes "defined()" and "defined ()" Use Linux kernel choice so I can reuse kernel checkpatch. sed -i 's/defined (/defined(/g' Signed-off-by:
Antonio Borneo <borneo.antonio@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 09 Mar, 2013 2 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
John Morrissey authored
Signed-off-by:
John Morrissey <jwm@horde.net> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 08 Mar, 2013 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 07 Mar, 2013 2 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 06 Mar, 2013 9 commits
-
-
David Woodhouse authored
This is fairly icky; I don't know how we're supposed to get the pkgconfig Libs.private in our build, so I'm overriding $(GNUTLS_LIBS) manually. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
The existing setup would only build as part of a full AOSP build, not as a standalone application with the NDK. Fix that... Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Now you just have to define NO_BROKEN_DTLS_CHECK instead of editing the source code to remove the check. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 04 Mar, 2013 5 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
XML POST mode introduces a new header in the <auth> response. Squash it so that people don't inadvertently post logs containing webvpn cookies. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
If something like certificate setup went wrong, we'd return failure but *not* destroy the gnutls_certificate_credentials_t that we were attempting to set up. So a subsequent retry would see that it already exists, assume it's *fine* and just go ahead and use it. Don't do that. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
If the XML POST fails and we try a GET, we need to handle redirects for that too. So re-use the same loop. Except the bit about not allowing local redirects. Why do we do that for the XML POST case anyway? Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
I couldn't trigger this until I hacked up stuff elsewhere to return artificial failures, but still... Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 03 Mar, 2013 1 commit
-
-
David Woodhouse authored
The NDK doesn't include keystore.h but that only has a few error numbers so we can define those locally. We also can't call socket_local_client() but that's only a simple socket() and connect() call on a Unix socket anyway. Also make keystore_strerror() return a const char *. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 02 Mar, 2013 1 commit
-
-
Nikos Mavrogiannopoulos authored
Normally we'd use Android.mk but you can also build for Android using Cerbero and the autohate build system instead. Signed-off-by:
Nikos Mavrogiannopoulos <nmav@gnutls.org> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 25 Feb, 2013 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 22 Feb, 2013 1 commit
-
-
David Woodhouse authored
Commit b0b4b34f ('Canonicalise hostname during authentication if necessary') replaces the hostname with a bare IP address if necessary, so that reconnecting is guaranteed to get the *same* host from a round-robin and comparing the SSL cert with its previous SHA1 fingerprint (which is how we do it for two-stage connection for example from NetworkManager) is guaranteed to work. However, this breaks certificate auth when invoked in one-stage mode from the command line to authenticate *and* actually make the connection. When vpninfo->hostname is replaced with a bare IP address, that might not actually be what's listed in the certificate's Subject or Altname fields. So users have reported a certificate validation failure on *reconnecting* to the server which was acceptable the first time round when we looked it up by name. So, don't actually replace vpninfo->hostname at all. Introduce a new field vpninfo->unique_hostname which is returned by openconnect_get_hostname(), and leave vpninfo->hostname as it was. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 20 Feb, 2013 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 18 Feb, 2013 3 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
We need to free the original pointer, if gnutls_realloc() returns NULL. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Implement a helper which actually *does* free the original pointer on allocation failure, as I evidently always expected it to. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700805 Reported by: Niels Thykier <niels@thykier.net> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 17 Feb, 2013 5 commits
-
-
David Woodhouse authored
We can move the algo calculation into a verify_signed_data() function. This would have been a cleaner way to do it in the first place anyway. Reported-by:
Mike Miller <mtmiller@ieee.org> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
This needs to allow for input elements named "answer" instead of "password", and it needs to check form->message instead of the label attribute for the "Next TOKENCODE" prompt. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
The gateway may ask the user to fill out different forms that live at different URLs, e.g. GET /+webvpn+/index.html (returns <form method="post" action="/+webvpn+/index.html"> and username/password form elements) POST /+webvpn+/index.html (returns <form method="post" action="/+webvpn+/login/challenge.html"> and challenge/response form elements) POST /+webvpn+/login/challenge.html (returns <auth> node with valid cookie) The refactored openconnect_obtain_cookie() loop tried to post the challenge/response data to index.html, preventing successful login. This patch changes the logic so that it will honor the new "action" attribute if present. This probably does not affect XML POST mode, because XML POST <form> tags do not seem to use attributes. Reported-by:
Fabian Jäger <fabian.jaeger@chungwasoft.com> Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
The Cisco AnyConnect client exhibits some quirky behavior on fields with certain names: For "answer", "whichpin", and "new_password", the field is renamed to "password" in the submission. For "verify_pin" and "verify_password", the field is omitted entirely. One might expect the client to perform a comparison to see if the first password/PIN field matches the verify_* field, but in my testing, I didn't actually see it doing so. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
Experimentation with the Cisco AnyConnect client showed that the following changes need to be made for compatibility: 1) If the "value" attribute is missing from the <option> node, use the XML node content instead. i.e. this should post as "<dropdown>vpn</dropdown>": <select name="dropdown"> <option>vpn</option> </select> And this should post as "<dropdown>optname</dropdown>": <select name="dropdown"> <option value="optname">vpn</option> </select> 2) If the name of the <select> node happens to be "group_list", put the response in a special <group-select> node right under the <config-auth> node, instead of putting it under the <auth> node. (These strings are hardcoded into the Cisco client.) Reported-by:
Fabian Jäger <fabian.jaeger@chungwasoft.com> Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 13 Feb, 2013 6 commits
-
-
Nikos Mavrogiannopoulos authored
Signed-off-by:
Nikos Mavrogiannopoulos <nmav@gnutls.org> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Some people have seen extremely low pMTU values from the kernel. Not sure why, but let's impose a lower limit for now. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com> (cherry picked from commit b37161f6)
-